b'January 3, 2011\n\nVINCENT H. DEVITO JR\nVICE PRESIDENT, CONTROLLER\n\nSUBJECT: Management Advisory \xe2\x80\x93 Fiscal Year 2010 Quality of Postal Service\n         Financial Testing and Compliance Results (Report Number FF-MA-11-001)\n\nThis report presents the results of our review of the quality of Financial Testing\nCompliance (FTC) work at business mail acceptance (BMA) units, postal retail units\n(PRU), and mail processing centers (Project Numbers 10BD005FF000 and\n10BD005FF001).1 The objectives of our report were to determine if the FTC review\nresults agreed with the U.S. Postal Service Office of Inspector General (OIG) results\nand to evaluate the quality of FTC work. We conducted this review in support of the\nindependent public accounting firm\xe2\x80\x99s (IPA) overall audit opinion on the U.S. Postal\nService\xe2\x80\x99s internal controls over financial reporting. See Appendix A for additional\ninformation about this review.\n\nThe Postal Service must prepare and submit annual reports on Sarbanes-Oxley Act of\n2002 (SOX) compliance to the Postal Regulatory Commission (PRC) beginning with\nfiscal year (FY) 2010. To comply with SOX, the postmaster general and the chief\nfinancial officer must report on the effectiveness of the Postal Service\xe2\x80\x99s internal controls\nover financial reporting. FTC tests key financial reporting controls and senior Postal\nService leaders use the results to identify and correct internal control deficiencies. The\nresults of the Postal Service\xe2\x80\x99s overall SOX assessment are reported to the PRC. The\nPostal Service\xe2\x80\x99s Financial Control and Support (FC&S) group oversees the work of the\nFTC.\n\nConclusion\n\nFTC did not always report all exceptions they identified during their reviews, causing\ntheir results to not always be consistent with the OIG\xe2\x80\x99s results. Further, we were\nsometimes unable to determine if the OIG\xe2\x80\x99s and FTC\xe2\x80\x99s results were consistent because\nof insufficient FTC supporting documentation. We also noted other working paper\ndocumentation issues, such as FTC not providing all sampling methodology\ndocumentation to the OIG; however, this did not affect our ability to determine if FTC\xe2\x80\x99s\n\n1\n Project Number 10BD005FF000 was initiated to review the results of FTC\xe2\x80\x99s work conducted February through July\n2010. Project number 10BD005FF001 was to review the results of FTC\xe2\x80\x99s July through September 2010 work on the\neffectiveness of management\xe2\x80\x99s remediation efforts conducted.\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing                                          FF-MA-11-001\n and Compliance Results\n\n\nand the OIG\xe2\x80\x99s results were consistent. Most of the issues we identified were in reviews\nFTC conducted early in their testing schedule. Given that FTC was a newly formed\ngroup and analysts were learning new jobs and implementing new review programs, we\nexpected these results. Throughout the year, we communicated these issues to the\nFC&S manager. In later reviews, we found that there were fewer issues and improved\nFTC reviews.\n\nConsistency and Quality Issues Identified but Improvements Made\n\nWhile we identified a number of issues during our examination of FTC reviews, the\nnumber of examinations with issues declined. Table 1 presents the OIG\xe2\x80\x99s examination\nresults by FTC testing period.\n\n                                   Table 1: OIG Examination Results\n\n                                      Number of Examinations with Issues OIG Identified in FTC\n                                                       Reviews (by review period)\n                                                    FTC Testing                         Post-\n                                           February - September 2010               Remediation\n                                                                       2\n                                              (of 60 OIG Examinations)                Testing3\n                                             February-May        June-September     August and\n  OIG Examination Results                          2010                  2010     September 2010\n        Categorized by                          (of 34 OIG            (of 26 OIG      (of 24 OIG\n          Significance               Total    Examinations)         Examinations)   Examinations)\n Level I - FTC results not\n consistent with the OIG\xe2\x80\x99s\n                                       18               15                     3                       3\n results (for example, not all\n exceptions were reported).\n Level II - FTC supporting\n documentation was\n insufficient to determine             17               12                     5                       0\n OIG agreement with FTC\n conclusions.\n Level III - Supporting\n documentation issues that\n did not cause the FTC to\n                                       35               30                     5                       0\n incorrectly report results or\n to be inconsistent with OIG\n results.\nSource: OIG Analysis\n\n\n\n\n2\n  Each FTC review could have one or more exceptions in each of levels I, II and III.\n3\n  The Postal Service performs remediation, or correction of a design or operating deficiency, for the internal control\ngaps identified during process documentation and operating effectiveness gaps identified during testing. FTC re-\ntested controls they had previously determined as failed after the Postal Service remediated those controls.\n\n\n\n\n                                                             2\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing                   FF-MA-11-001\n and Compliance Results\n\n\nFTC\xe2\x80\x99s Results Were Not Always the Same as the OIG\xe2\x80\x99s Results\n\nFTC results were not always consistent with OIG results. For example, in some reviews,\nFTC did not always report the exceptions they noted during their reviews, causing their\nresults to differ from the OIG\xe2\x80\x99s results.\n\nFTC analysts stated these differences occurred primarily due to an FTC analyst error or\noversight, or because the FTC analyst did not consider the exceptions reportable. The\nOIG and the IPA considered all exceptions reportable and communicated that to the\nPostal Service.\n\nWe identified this issue primarily in the early FTC reviews:\n\n    \xef\x82\xa7   In 15 of 34 FTC reviews conducted from February through May 2010.\n    \xef\x82\xa7   In three of 26 FTC reviews conducted from June through September 2010.\n    \xef\x82\xa7   In three of 24 post-remediation reviews.\n\nInsufficient Documentation\n\nFTC analysts did not always provide supporting documentation sufficient for the OIG to\ndetermine consistency between FTC- and OIG-reported results. For example, we noted\nFTC analysts did not always document interviews with management and unit personnel\nor document whether they confirmed that permit holder permit accounts were current\nand up-to-date. In addition, the working papers that FTC provided did not include\ndocumentation to support the type of mail verifications they performed; inquiries of BMA\nmanagement and personnel to determine critical times and identification of BMA\npersonnel by tour; or an explanation of whether they used required reports to execute\nthe steps.\n\nFTC analysts stated these issues generally occurred due to an FTC analyst error or\noversight in documenting work performed. Additionally, in some cases, FTC personnel\nstated they did not include system reports in their supporting documentation because\nthe reports were too large. As a result, we were unable to determine whether the FTC\nanalysts executed the program properly or how they reached their conclusions. While\nwe agree that some reports may be too large to include in supporting documentation,\nFTC analysts should document what reports they used, how they used them, and the\nreason for not including some reports in the working papers. It is critical to carefully note\nand report the work performed to ensure those evaluating the work can determine\nwhether the conclusions reached are fully supported so that management can\nconfidently report on the state of internal controls.\n\nWe again identified this issue primarily in the following early FTC reviews:\n\n    \xef\x82\xa7   Twelve of 34 FTC reviews performed from February through May 2010.\n    \xef\x82\xa7   Five of 26 FTC reviews performed from June through September 2010.\n\n\n\n\n                                                      3\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing                                      FF-MA-11-001\n and Compliance Results\n\n\n\nWe found no instances in any of the 24 post-remediation reviews.\n\nOther Documentation Issues\n\nDuring our examinations, we identified instances in which working paper documentation\ncould be improved. However, the documentation was sufficient for us to reach the same\nconclusions as FTC. For example,\n\n    \xef\x82\xa7   Mailing Activity reports4 were not annotated to indicate days tested.\n\n    \xef\x82\xa7   Postage statements statistically selected for testing were replaced with other\n        postage statements without explanation.\n\n    \xef\x82\xa7   The number of postage statements reviewed per the Mailing Activity report was\n        different from what was in FTC documentation.\n\n    \xef\x82\xa7   Spreadsheets did not contain legends to explain notations.\n\n    \xef\x82\xa7   Supporting documentation showed that FTC reviewed one accountability while\n        other supporting documentation showed they reviewed two.\n\nWe identified these issues in 30 of 34 FTC reviews conducted from February through\nMay 2010 and in five of 26 FTC reviews conducted from June through September 2010.\nWe did not note any instances during the 24 post-remediation reviews. Although FTC\nmanagers provided a variety of causes for the above issues, we believe the overall\ncause was the challenge arising from forming the new FTC organization.\n\nIt is critical that FTC report all exceptions noted during their reviews and fully document\nall work performed. Without this critical information, management will be unable to\nassess the true nature of control failures and will be severely limited in their ability to\ntake corrective action.\n\nAfter the first few reviews, the OIG provided feedback to the FC&S manager regarding\nthe issues noted. Based on that feedback, FTC revised their review programs and\nsuspended their reviews for 1 week (in April 2010) to provide additional training to the\nFTC analysts. After the training, we identified these types of issues less frequently. In\naddition, FC&S took corrective action to address the issues we brought to their attention\nthroughout the review process. Because the number of issues we identified significantly\ndeclined beginning with the June FTC reviews, we are not making recommendations in\nthis report.\n\n\n4\n The PostalOne! Mailing Activity Report provides the detailed mailing data by permit and mailing date. FTC uses this\ndata to determine postage statement sample size and statement selection.\n\n\n\n\n                                                         4\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing               FF-MA-11-001\n and Compliance Results\n\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with the findings and reiterated that they took corrective actions\nthroughout the year. See Appendix B for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nWe agree with management\xe2\x80\x99s comments that corrective actions were taken throughout\nthe year.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Linda Libician-Welch, director,\nField Financial \xe2\x80\x93 West, or me at 703-248-2100.\n\n -Signed by Linda J. Libician-Welc\nVERIFY authenticity with ApproveI\n\n\n\nfor\nJohn E. Cihota\nDeputy Assistant Inspector General\n for Financial Accountability\n\nAttachments\n\ncc: Joseph Corbett\n    Steven R. Phelps\n    Corporate Audit and Response Management\n\n\n\n\n                                                      5\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing                 FF-MA-11-001\n and Compliance Results\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe Postal Accountability and Enhancement Act of 2006 required the Postal Service to\ncomply with Section 404 of SOX by September 30, 2010. SOX requires management to\nassess its internal controls over financial reporting annually and obtain an opinion\nregarding the effectiveness of those controls from its IPA.\n\nIn addition to Section 404, the Postal Service must comply with other sections of SOX\nthat are closely associated with that section. For example, Section 302 requires the\nchief executive officer and chief financial officer to certify that financial statements and\nother financial information in the quarterly and annual reports fairly present, in all\nmaterial respects, the financial condition, the results of operations, and the cash flows of\nthe Postal Service. The chief executive officer and chief financial officer must also\ncertify and that they are responsible for establishing and maintaining disclosure controls\nand procedures as well as internal controls over financial reporting. The Postal Service\nsubmits an annual assessment on the effectiveness of its internal controls to the PRC,\nwho monitors and manages Postal Service compliance with SOX.\n\nThe Postal Service created a SOX Program Management Office (PMO) within the\nFinance organization to lead the SOX implementation efforts. The FTC, established in\nlate FY 2009, reports to the PMO through the FC&S manager. The FTC consists of 22\nteams with about 179 employees divided into three divisions \xe2\x80\x94 East, Central, and\nWest. FTC analysts test the effectiveness of key financial controls in the field in support\nof SOX compliance for PRUs, BMA units, and plant verified drop shipments (PVDS) at\nmail processing centers and post offices. The FTC also tests controls that management\nhas remediated to determine if the corrective action is effective. In FY 2010, the FTC\nconducted PRU and BMA testing from January through July 2010 and PVDS testing in\nSeptember 2010. In addition, in August 2010, the FTC conducted BMA re-testing on\ncontrols that management had remediated.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of our review were to determine whether the FTC\xe2\x80\x99s results agreed with\nthe OIG\xe2\x80\x99s results and to evaluate the quality of the FTCs\xe2\x80\x99 work. We conducted this\nreview in support of the IPA\xe2\x80\x99s overall audit opinion on the U.S. Postal Service\xe2\x80\x99s internal\ncontrols over financial reporting. Specifically, we examined the FTC\xe2\x80\x99s testing of key\nfinancial reporting controls developed for evaluating SOX compliance.\n\nTo accomplish our objectives, we initially planned to perform this work in conjunction\nwith our financial installation audits of Post Offices (PO) (Project Number\n10BD001FF000) and business mail entry units (BMEU) (Project Number\n10BD002FF000) in support of the annual audit of the financial statements. However, in\nconsultation with the IPA, we decided to maintain separate samples for the financial\n\n\n\n\n                                                      6\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing                                        FF-MA-11-001\n and Compliance Results\n\n\ninstallation work and the examinations of the FTC reviews. Thus, we used three\napproaches to examine the FTC reviews:\n\n    \xef\x82\xa7    Desk examinations during which we reviewed FTC working papers only.\n\n    \xef\x82\xa7    On-site examinations during which we reviewed FTC working papers and\n         conducted limited re-testing of FTC tested controls.\n\n    \xef\x82\xa7    Concurrent examinations during which we were on-site at the same time as the\n         FTC and observed FTC analysts conducting their reviews.\n\nWe judgmentally selected 84 FTC reviews for examination as shown in Table 2.\n\n             Table 2: Number and Type of OIG Examinations of FTC Reviews\n\n                                  FY Quarter in               Type and Number of OIG Examinations\n                                   Which FTC\n                                  Performed the\n Type of FTC Review                 Reviews                   Desk       On-Site       Concurrent        Total\n PRU                                    II, III                11          11              0              22\n BMA                                 II, III, IV               11          11              6              28\n PVDS                                     IV                    0           0             10              10\n Post Remediation BMA                     IV                    0           0             24              24\n Totals                                                        22          22             40              84\nSource: OIG Analysis\n\nWe conducted this review from March 2010 through January 2011 in accordance with\nthe Quality Standards for Inspections.5 We discussed our observations and conclusions\nwith management officials on December 16, 2010, and included their comments where\nappropriate. We assessed the reliability of computer-generated data by verifying it to\nsource records. We determined that the data were sufficiently reliable for the purposes\nof this report.\n\nPRIOR AUDIT COVERAGE\n\nThe OIG did not identify any prior audits or reviews related to the objective of this audit.\n\n\n\n\n5\n  The President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) and the Executive Council on Integrity and Efficiency\n(ECIE) last promulgated these standards in January 2005. Since then, The Inspector General Act of 1978 as\namended by the IG Reform Act of 2008 created the Council of the Inspectors General on Integrity and Efficiency\n(CIGIE), which combined the PCIE and ECIE. To date, the Quality Standards for Inspections are not amended to\nreflect adoption by the CIGIE. As a result, we still reference the PCIE and ECIE.\n\n\n\n\n                                                          7\n\x0cFiscal Year 2010 Quality of Postal Service Financial Testing   FF-MA-11-001\n and Compliance Results\n\n\n                         APPENDIX B: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                      8\n\x0c'